JP2009531952A - System and method for optimizing authentication procedure during handover between access systems - Google Patents

Abstract

  The present invention provides a method and system for deriving a new key for accessing a new system. The present invention enables an authentication procedure optimized using an existing system access key at the time of handover from an existing system to a new system. When preparing for a handover that allows the user terminal to perform fast re-authentication, the user terminal accessing the new system receives the temporary ID. The method uses an existing system access key to generate a system access key for a new network.

Description

  The present invention relates to heterogeneous systems, optimization of authentication procedures during handover between access systems, and a method of key derivation for evolved systems, in particular, prior access. The present invention relates to a method for generating a new key for ensuring communication with a new access system after a handover using a system key.

  The 3GPP (Radio Access Network: RAN), System Architecture (SA), and Core Terminal (CT) work groups of the 3rd Generation Partnership Project (Enhanced Next Generation Wireless System) ) The goal is to develop a UTRAN (E-UTRAN) structure. The E-UTRAN system is currently required to coexist with the second generation (2G) and third generation (3G) radio systems, and in particular, the existing system and 3GPP TR 23.882, 3GPP TS 23.401, and 3GPP TS It is required to support a handover with a newly evolved E-UTRAN system as specified in the 23.402 standard.

  The E-UTRAN system is an evolved system of the 3GPP UTRAN system, and the main entities are UE (User Equipment), ENB (Enhanced Node B), MME (Mobility Management Entity), UPE (User Plane) as shown in FIG. Entity) and IASA (Inter Access System Anchor). The ENB of the E-UTRAN system must have the characteristics of a Node B and a legacy UTRAN system Radio Network Controller (RNC). The System Architecture Evolution (SAE) MME manages and stores the UE context (UE / user identity (UE), UE mobility state, user security parameters in the idle state). In addition, the MME generates temporary identities assigned to the UE, confirms whether the UE remains in the TA or PLMN (Public Land Mobile Network), and performs user authentication. The SAE UPE terminates the downlink data path to the idle UE and triggers / initiates paging when downlink data arrives at the UE. The UPE also manages and stores UE context, for example, IP (Internet Protocol) bearer service or network internal routing information, and performs replication of user traffic in the case of an interception. IASA is a user plane anchor for mobility between different access systems. The IASA performs or supports a handover between different access systems.

  GERAN (GSM (Global System for Mobile Communication) / EDGE (Enhanced Data rates for Global Evolution) Radio Access Network) consists of a base transceiver station (Base Transceiver Station: BTS) and a base station controller (Base Station Controller: BSC). Is done. UTRAN is composed of a Node B and a radio network controller (RNC). As shown in FIG. 1, the GPRS (General Packet Radio Service) core network includes a serving GPRS support node (SGSN) and a gateway GPRS support node (GGSN).

  The Integrated Wireless Local Area Network (I-WLAN) system specified in the 3GPP TS 23.234 standard provides a system and method for integrating an old UTRAN system with a WLAN system, as shown in FIG. The I-WLAN system allows WLAN users to access 3GPP packet switched services.

  However, at present, no efficient mechanism for providing an authentication procedure at the time of handover between heterogeneous access systems has been presented. Furthermore, no method has been presented for generating the keys of the evolved system.

Therefore, the present invention eliminates at least the problems and disadvantages of the conventional techniques described above and provides the following advantages. Accordingly, an object of the present invention is to provide a method for optimizing an authentication procedure during handover between access systems in a heterogeneous network.
Another object of the present invention is to provide a system that optimizes an authentication procedure during handover between access systems in a heterogeneous network.
The present invention also provides a mechanism for generating SAE system specific keys.

  To achieve the above object, the present invention is a method for optimizing an authentication procedure at the time of handover between access systems in a heterogeneous network, and derives a new key for accessing a new system. Step, optimizing the authentication procedure using the existing system access key at the time of handover from the existing system to the new system, and accessing the new system at the time of handover preparation, and the UE re-authenticating quickly with the new system Receiving a temporary ID (Identification) for enabling the UE to be performed by the UE.

  Further, the present invention is a system for optimizing an authentication procedure at the time of handover between access systems in a heterogeneous network, a means for deriving a new key for accessing a new system, and a new system from an existing system. Means for optimizing the authentication procedure using the existing system access key used with the existing system at the time of handover to the user, and the user accessing the new system at the time of handover preparation enabling the user terminal to perform fast re-authentication Means for receiving a temporary ID by a terminal.

The present invention includes a mechanism for providing an authentication procedure optimized during handover by utilizing an active authentication key used in the second access system in the first access system. The present invention also includes a mechanism for performing fast re-authentication during the handover procedure.
The present invention includes a mechanism for generating keys for systems that have evolved to ensure communication between UEs and network entities.

Furthermore, according to another aspect of the present invention, it is as follows.
Optimize network access authentication procedures during handover in heterogeneous network environments.
Providing a mechanism for generating a new key for a new access system, instead of performing the access system's subordinate authentication procedure, instead using the latest active key generated by the previous access system. .
To provide a mechanism to derive new keys for both forward and reverse handovers.
For exchanging keys, security contexts, and other messages through a logical interworking unit co-located with a network entity of the SAE system or I-WLAN interworking system or another entity of the SAE system or I-WLAN interworking system Provide a signaling interface between MME / UPE and AAA (Authentication Authorization and Accounting) servers.
Generating a key with an active EUTRAN network access key by the UE and AAA server for I-WLAN access and secure communication.

  In the handover preparation stage, a key (EAP related keys, ie, TEK, MSK and EMSK) is generated from the SAE system or the UMTS system to the I-WLAN system using the latest CK (Cypher Key) and IK (Integrity Key). The UE transmits the I-WLAN ID and NAI to the SAE system through the measurement report. The network entity of the SAE system includes the latest CK and IK along with other parameters in the handover preparation request forwarded to the I-WLAN interworking system (HandOver: hereinafter referred to as “HO”). The UE and the network can generate a key during the handover preparation phase.

  During the I-WLAN attach procedure, when the UE moves from the SAE system to the I-WLAN system, if the UE and the AAA server generate a key during the handover preparation phase, the WLAN-AN sends the UE to the AAA server. When requesting authentication, the I-WLAN network entity (AAA server) provides to transmit the MSK to the WLAN-AN without the EAP authentication procedure. As described above, the UE and the I-WLAN AS may directly perform a specific handshake mechanism of IEEE (Institute of Electrical and Electronic Engineers) 802.11 and start L2 (Layer 2) protections. it can.

  In the handover preparation phase, the I-WLAN specific temporary ID (pseudonym) and / or fast re-authentication ID (in the HO accept message / HO command message) is transmitted to the UE by the AAA server. The UE may perform a fast re-authentication procedure at the initial handover from the SAE AS to the I-WLAN AS (when the network transmits a fast re-authentication ID and requires the UE to authenticate and refresh the key). it can. According to the present invention, the UE can transmit the sequence number of the last successfully received packet to the I-WLAN AS. The I-WLAN AS transmits the packet to the core network, and the core network can start transmitting the packet after the last successfully received sequence number to the UE.

  According to the present invention, the network is handed over from the SAE system or the UMTS system to the I-WLAN system, while the UE is in the scenario 2 and scenario 3 authentication procedures and the list of optimization procedures supported during the HO command. Can be instructed to perform together. In this way, the UE can select and start one of the optimization procedures supported directly by the network without enforcement and error methods.

  According to the present invention, the MME performs soft registration with the HSS in the HO preparation stage, and after handover, the UE connects to the MME. The SGSN performs soft registration with the HSS in the HO preparation stage, and after the handover, the UE connects to the SGSN.

  According to the present invention, the AAA server performs soft registration with the HSS in the HO preparation stage, and after the handover, the UE is connected to the AAA server. The secure mode command procedure is performed in the HO preparation phase during handover to the SAE system or UMTS system.

  According to the present invention, the UE transmits an algorithm selected from the list of network assisted algorithms broadcast by the network to the SAE system through the measurement report. With the HO command, the SAE system can agree / negotiate the UE selection algorithm and the UE can start protecting the initial message at handover.

  According to the present invention, the SGSN communicates the latest CK and IK to the MME or authentication and key management entity of the SAE system, and the MME or SAE system authentication and key management entity derives the SAE specific key before the handover. Alternatively, it is distributed to SAE system entities at the time of handover.

  According to the present invention, the MME converts LTE (Lon Term Evolution) related parameters into UMTS specific parameters when a HO request from another AS or a HO request to another AS. The MME communicates the latest CK and IK to the SGSN, and this SGSN distributes this key to the RNC (Radio Network Controller) at the time of handover preparation request from the SAE system.

  According to the present invention, during the forward handover authentication procedure for UMTS AS, the UE transmits the details of the previous access system through the RAU procedure or the initial NAS message, and the core network sends the security context (e.g., CK and IK) and buffered packets can be retrieved. During the forward handover authentication procedure to the I-WLAN AS, the UE transmits details of the previous access system, and the core network can retrieve the security context and buffered packets from the previous access system. Details of this previous access system are transmitted through an EAPOL ID response message.

  According to the present invention, the UE transmits the sequence number of the last successfully received packet to the access system, which communicates this to the core network previously and was last successfully received by the UE. Transmission of packets after the sequence number can be started.

  According to the present invention, when the UE and the network generate a key using UMTS CK and IK during the scenario 2 authentication procedure in the I-WLAN AS, the core network generates a temporary ID and transmits this to the UE. The UE initiates a fast re-authentication procedure for scenario 3 access.

  During the forward handover authentication procedure for SAE AS, the UE transmits the details of the previous access system through the TAU procedure or initial NAS message, and the core network receives the security context (eg CK and IK) and buffer from the previous access system. Search for ringed packets.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.
It will be apparent to those skilled in the art that various modifications can be made to the embodiments of the present invention without departing from the scope and spirit of the present invention. Further, when it is determined that a specific description related to a known function or configuration related to the present invention makes the gist of the present invention unclear, detailed description thereof will be omitted.

The present invention provides a system and method for providing an optimized authentication procedure during handover between heterogeneous networks, and also provides a mechanism for generating a SAE system specific key.
The method includes a mechanism for generating a new access system specific key using a previous access system key without performing an access system specific authentication procedure.

FIG. 3 shows a reverse handover (scenario 2 access) from the SAE to the I-WLAN access system according to the present invention.
Referring to FIG. 3, in step 1, the UE transmits periodic or event-based measurements to the EUTRAN network. If the ENB (Evolving Node B) / MME (Mobility Management Entity) knows that the UE measurement is below the threshold or if the MME determines that it cannot sustain the EUTRAN in any way, then in step 2a, another RAT The UE can be requested to start scanning (Radio Access Technology) or it can be requested to scan for a specific RAT available in the neighboring RAT or its coverage area. Also, by layer 2 (L2) or other means, the UE determines that EUTRAN cannot be sustained and starts scanning for another RAT.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SAE system. The ENB / MME then decides to hand over the UE to the I-WLAN network by itself or selectively by a logical interworking unit.

  Using the NAI (Network Address Identifier), the MME analyzes the IP address of the I-WLAN AAA server in step 4 and connects to the AAA server through a logical interworking unit. This logical interworking unit can be located in the MME or AAA server or simultaneously in the network entity of the SAE system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of the first access system to the second access system.

  In step 5, the MME transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV (Authentication Vector), latest CK and IK, and other parameters.

  The AAA checks the HSS as to whether another AAA has been registered with the HSS (Home Subscription Service). If not, the AAA performs soft registration in step 6. AAA generates / derives keys (MSK, TEK, and EMSK) using NAI, CK, and IK. The AAA server generates a Temp ID (an anonymous ID and a fast re-authentication ID), protects (encrypts) the Temp ID using the generated TEK, and transmits it to the UE.

In step 7, the AAA server transmits the HO approval to the MME through the interworking unit. The HO approval message includes a protected Temp ID and an indication of whether scenario 2 and scenario 3 authentication has been requested.
In step 8, the MME transmits the parameters received through the HO acknowledgment message to the UE as a HO command message.

  After receiving the HO command from the SAE system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decodes the Temp ID. In step 10, the UE initiates an L2 attachment with the I-WLAN AS.

When the I-WLAN system requests authentication, the WLAN-AN may perform step 11a. 1 starts the authentication procedure.
Then, the UE performs step 11a. 2, when a Temp ID is received through a HO command, a Temp ID (fast re-authentication ID) is transmitted. The UE transmits the EAP response identification including the Temp ID (anonymous ID or fast re-authentication ID) and optionally integrity protection of the EAP response identification message to the AAA server through the I-WLAN AN.

  When the AAA server receives the EAP response identification message with the Temp ID, the AAA knows that the UE has performed HO preparation. The AAA server executes step 11a. 3. Verify integrity protection and Temp ID. Therefore, the AAA authenticates the UE. Optionally, if the AAA server was previously requested to use a protected success indication, the MAC (Medium Access Control) protected message EAP request / AKA notification (Notification ) Can be transmitted. The AAA server generates a new Temp ID and transmits it to the UE together with the EAP request / AKA notification message. The WLAN AN communicates an EAP request / AKA notification message to the UE, and the UE sends an EAP response / AKA notification. The WLAN AN transmits an EAP response / AKA notification message to the AAA server, and the AAA server ignores the contents of these messages.

  The AAA server executes step 11a. 4, transmit an EAP success message to the WLAN AN. When some extra keying material is generated for WLAN technology specific confidentiality and / or integrity protection, the AAA server may use this keying element as an underlying AAA protocol message (ie, EAP). (Not level). The I-WLAN AN stores keying elements used for communication with authenticated WLAN-UEs. If the AAA server is not using a protected successful result indication, the AAA server generates a new Temp ID and transmits it to the UE along with the EAP success message.

The I-WLAN AN performs step 11a. 5. Inform the WLAN-UE about successful authentication through an EAP success message. At this time, the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN AN share the keying elements generated during this exchange.
Alternatively, in step 11b, the UE initiates a fast re-authentication procedure with the I-WLAN network. If the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to start the overall authentication procedure.

FIG. 4 shows a reverse handover (scenario 2 and scenario 3 access) from the SAE to the I-WLAN access system according to the present invention.
Referring to FIG. 4, in step 1, the UE transmits periodic or event-based measurements to the EUTRAN network.

  If the ENB / MME finds that the UE measurement is below the threshold, or if the MME determines that it cannot sustain the EUTRAN in any way, it requests the UE to start scanning other RATs in step 2a. Alternatively, the UE can be requested to scan for a neighboring RAT or a specific RAT available within its service area. Also, by L2 or other means, the UE determines that EUTRAN cannot be sustained and starts scanning other RATs.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SAE system. The ENB / MME then decides to hand over the UE to the I-WLAN network.

  Using the NAI, the MME analyzes the I-WLAN AAA server IP address in step 4 and connects to the AAA server through a logical interworking unit. This logical interworking unit can be located in the MME or AAA server or simultaneously in the network entity of the SAE system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of the first access system to the second access system.

  In step 5, the MME transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters.

  In step 6, the AAA checks the HSS as to whether another AAA has been registered with the HSS, and if not, the AAA performs a soft registration. AAA generates keys (MSK, TEK and EMSK) using NAI, CK and IK. Also, the AAA server generates a Temp ID (anonymous ID and fast re-authentication ID), protects (encrypts) the Temp ID using the generated TEK, and transmits it to the UE.

  The AAA server transmits the HO approval to the MME through the interworking unit in step 7. The HO approval message includes a protected Temp ID and an indication of whether scenario 2 and scenario 3 authentication has been requested. The AAA server also includes an optimization procedure supported in the HO approval for UEs that perform scenario 2 and scenario 3 in succession.

In step 8, the MME transmits the received parameters as a HO command message to the UE through a HO acknowledgment message.
After receiving the HO command from the SAE system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decrypts Temp ID (anonymous ID and fast re-authentication ID). In step 10, the UE initiates an L2 connection with the I-WLAN AS.

  When the I-WLAN system requests authentication, the WLAN-AN may perform step 11a. 1 starts the authentication procedure. Then, the UE performs step 11a. 2, transmit Temp ID (fast re-authentication ID) when received through HO command. The UE transmits the EAP response identification including the Temp ID (anonymous ID or fast re-authentication ID) and optionally the integrity protection of the EAP response identification message to the AAA server through the I-WLAN AN.

  When the AAA server receives the EAP response identification message with the Temp ID, the AAA knows that the UE has performed HO preparation. The AAA server executes step 11a. 3. Verify integrity protection and Temp ID. Therefore, the AAA authenticates the UE. Optionally, if the AAA server was previously requested to use the protected success indication, a MAC protected message EAP request / AKA notification can be sent prior to the EAP success message. The AAA server generates a new Temp ID and transmits it to the UE together with the EAP request / AKA notification message. The WLAN AN transmits an EAP request / AKA notification message to the UE, and the UE transmits an EAP response / AKA notification. The WLAN AN transmits an EAP response / AKA notification message to the AAA server, and the AAA server ignores the contents of these messages.

  The AAA server executes step 11a. 4, transmit an EAP success message to the WLAN AN. When some extra keying elements are generated for WLAN technology specific confidentiality and / or integrity protection, the AAA server includes this keying element in the basic AAA protocol message (ie, not at the EAP level). The I-WLAN AN stores keying elements used for communication with authenticated WLAN-UEs. If the AAA server is not using a protected successful result indication, the AAA server generates a new Temp ID and transmits it to the UE along with the EAP success message.

  The I-WLAN AN performs step 11a. 5. Inform the WLAN-UE with an EAP success message regarding successful authentication. At this time, the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN AN share the keying elements generated during this exchange.

  Alternatively, the UE starts a fast re-authentication procedure with the I-WLAN network in step 11b. If the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to start the overall authentication procedure.

After a successful scenario 2 authentication procedure, the UE starts an optimized authentication procedure for scenario 3 listed by the AAA server in the HO order in step 12a. The UE can initiate the scenario 3 authentication procedure using an EMSK based optimization procedure.
The UE can also initiate a fast re-authentication procedure for the scenario 3 authentication procedure in step 12b.

FIG. 5 shows a reverse handover (direct scenario 3 access) from the SAE to the I-WLAN access system according to the present invention.
Referring to FIG. 5, in step 1, the UE transmits periodic or event-based measurements to the EUTRAN network.

  If the ENB / MME finds that the UE measurement is below the threshold, or if the MME determines that it cannot sustain EUTRAN in any way, it requests the UE to start scanning other RATs in step 2 Alternatively, the UE can be requested to scan for a neighboring RAT or a specific RAT available within its service area. Also, by L2 or other means, the UE determines that EUTRAN cannot be sustained and starts scanning other RATs.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SAE system. The ENB / MME then decides to hand over the UE to the I-WLAN network.

  Using NAI, the MME analyzes the I-WLANAA server IP address and connects to the AAA server through a logical interworking unit in step 4. This logical interworking unit can be located in the MME or AAA server or simultaneously in the network entity of the SAE system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of the first access system to the second access system.

  In step 5, the MME transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters.

  The AAA checks the HSS as to whether other AAAs are registered with the HSS, and if not, the AAA performs soft registration. AAA generates keys (MSK, TEK and EMSK) using NAI, CK and IK. Further, the AAA server generates a Temp ID (anonymous ID and fast re-authentication ID), and protects (encrypts) the Temp ID using the generated TEK. Then, the AAA transmits the Temp ID to the UE.

  The AAA server transmits the HO approval to the MME through the interworking unit in step 7. The HO approval message includes a protected Temp ID and an indication of whether scenario 2 and scenario 3 authentication has been requested. The AAA server also includes in the HO approval an optimization procedure that is supported for UEs that perform scenario 2 and scenario 3 in succession.

In step 8, the MME transmits the received parameters as a HO command message to the UE through a HO acknowledgment message.
After receiving the HO command from the SAE system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decodes the Temp ID.
In step 10, the UE initiates an L2 connection with the I-WLAN AS.

After successful connection with the I-WLAN AN, the UE starts an optimized authentication procedure for scenario 3 listed by the AAA server in the HO order in step 11a. The UE can initiate the scenario 3 authentication procedure using an EMSK based optimization procedure.
The UE can optionally initiate a fast re-authentication procedure for the scenario 3 authentication procedure in step 11b.

Forward handover from SAE to I-WLAN AS:
During the authentication procedure, the UE transmits details of the previous access system, so that the core network can retrieve the security context and buffered packets from the previous access system. Details of the recent access system can be transmitted in the EAPOL ID response message.

  During the scenario 2 authentication procedure, when the UE and the network generate a key using CK and IK, the core network generates a Temp ID and communicates it to the UE. The UE can initiate a fast re-authentication procedure for scenario 3 access.

  The UE transmits the sequence number of the last successfully received packet to the I-WLAN network, and the I-WLAN network can transmit this sequence number to the core network. The core network then begins to transmit packets after the sequence number that was last successfully received by the UE.

FIG. 6 shows a reverse handover (alternative 1) from the I-WLAN to the SAE system according to the invention.
Referring to FIG. 6, in step 1, the UE transmits periodic or event-based measurements to a logical decision and interworking unit. This logical decision and interworking unit may be located within the MME or AAA server, or as a separate entity, or simultaneously within the network entity of the SAE system or I-WLAN system. The function of the decision and interworking unit converts the RAN and CN container / protocol / parameter of the first access system to the second access system and decides whether to perform HO based on the measured value.

  If the logical decision and interworking unit finds that the UE measurement is below the threshold and determines that the I-WLAN cannot be sustained by other means, the logical decision and interworking unit The UE can request the UE to start scanning for another RAT, or the ENB / MME can request the UE to scan for a neighboring RAT or a specific RAT available in its service area. Also, by L2 or some other means, the UE determines that the I-WLAN cannot be sustained and starts scanning other RATs.

In step 3, the UE transmits a SAE measurement report including TAI, selected UIA and UEA, ENB-ID, and optionally a START value to the logical decision and interworking unit through the AAA server.
Then, in step 4, the logical decision and interworking unit decides to hand over the UE to the SAE network and informs the AAA server of this.
Using the TAI, the AAA server learns the MME address by connecting to the HSS.

In step 6, the AAA server transmits a HO request message to the MME / UPE. The HO request message includes the previous RAT type, unused AV, latest CK and IK, optionally ENB-ID and other parameters.
The MME checks the HSS as to whether other MMEs have been registered with the HSS, and if not, performs soft registration at step 7. The MME also generates a key.

In step 8, the MME transmits the HO approval to the AAA server through the interworking unit. This HO acknowledgment message contains information on the selected UEA and UIA, optionally whether to initiate FRESH and RAN protection and other parameters.
The AAA server transmits the parameter received through the HO acknowledgment message in step 9 to the UE through the HO command message.

After receiving a HO command from the AAA server for handover to the SAE network, the UE causes the SAE system to generate a unique key using the latest CK and IK in step 10.
In step 11, the UE initiates an L2 connection with the ENB without any protection.

In step 12, the UE transmits an initial layer 3 (L3) message to the MME / UPE. The initial L3 message includes user identification, START value, and MAC-I _NAS . This MAC-I _NAS is calculated using the generated SAE specific key and optionally the FRESH and START values.

In step 13, the MME / UPE verifies the MAC-I using the generated key, the received START, and optionally the FRESH value.
The MME / UPE transmits an initial L3 message response including keys for ENB, START, optionally FRESH and agreed UEA and UIA. The MME calculates the MAC-I _NAS through the initial L3 message response with the key removed for ENB, START, optionally FRESH and agreed UEA and UIA.

The ENB receives the initial L3 message response and stores the key for START, optionally FRESH and agreed UEA and UIA.
The ENB communicates an initial L3 message response to the UE. Optionally, the ENB can initiate RAN security (MAC-I _RAN ).
The UE verifies MAC-I _NAS and MAC-I _RAN .

FIG. 7 shows a reverse handover (alternative 2) from I-WLAN to SAE system according to the present invention.
Referring to FIG. 7, in step 1, the UE transmits periodic or event-based measurements to the logical decision and interworking unit. This logical decision and interworking unit may be located within the MME or AAA server, or as a separate entity, or simultaneously within the network entity of the SAE system or I-WLAN system. The function of the decision and interworking unit converts the RAN and CN container / protocol / parameter of the first access system to the second access system and decides whether to perform HO based on the measured value.

  If the logical decision and interworking unit finds that the UE measurement is below the threshold and determines that the I-WLAN cannot be sustained by other means, the logical decision and interworking unit The UE can request the UE to start scanning for another RAT, or the ENB / MME can request the UE to scan for a neighboring RAT or a specific RAT available in its service area. Also, by L2 or some other means, the UE determines that the I-WLAN cannot be sustained and starts scanning other RATs.

In step 3, the UE transmits a SAE measurement report including TAI, selected UIA and UEA, ENB-ID, and optionally a START value to the logical decision and interworking unit through the AAA server.
The logical decision and interworking unit then decides to hand over the UE to the SAE network and informs the AAA server of this.
Using the TAI, the AAA server will know the MME address by connecting to the HSS in step 5.

In step 6, the AAA server transmits a HO request message to the MME / UPE. The HO request message includes the previous RAT type, unused AV, latest CK and IK, optionally ENB-ID and other parameters.
In step 7, the MME checks the HSS as to whether another MME is registered with the HSS, and if not, performs the soft registration. The MME also generates a key using the CK and IK by the AAA server.

In step 8, the MME generates FRESH using the ENB-ID and distributes the security context to the ENB.
In step 9, the MME transmits the HO approval to the AAA server through the interworking unit. The HO acknowledgment message includes information about the selected UEA and UIA, and optionally whether to initiate FRESH and RAN protection and other parameters.

In step 10, the AAA server transmits the parameters received through the HO acknowledgment message to the UE through the HO command message.
After receiving a HO command from the AAA server for handover to the SAE network, the UE generates a key specific to the SAE system using the latest CK and IK in step 11 and starts RAN protection.

In step 12, the UE initiates an L2 connection with the ENB. The UE starts protecting the RRC message. During the initial message to the ENB, the UE communicates the START value and calculates the MAC-I _RAN using the generated SAE specific key, optionally the FRESH and START values. The ENB then verifies the MAC-I _RAN using the security context received in step 8 along with the START value.

In step 13, the UE transmits an initial L3 message to the MME / UPE. The initial L3 message includes user identification, START value, and MAC-I _NAS . This MAC-I _NAS is calculated using the generated SAE specific key and optionally the FRESH and START values.

The MME / UPE verifies the MAC-I _NAS at step 14 using the generated key, the received START, and optionally the FRESH value.
The MME / UPE transmits an initial L3 message response. The MME calculates the MAC-I _NAS through the initial L3 message response.

Forward handover from I-WLAN to SAE system:
During the TAU procedure or initial NAS message, the UE transmits the details of the previous access system in the TAU procedure, and the core network retrieves the security context (CK and IK) and buffered packets from the previous access system. Can do.

FIG. 8 illustrates a reverse handover from a UMTS to an SAE system according to the present invention.
Referring to FIG. 8, in step 1, the UE transmits periodic or event-based measurements to the SGSN.
Based on the measurement report, the SGSN requests the UE to start scanning for other RATs in step 2, or the ENB / MME scans the adjacent RAT or a specific RAT available in its service area. Can be requested. Alternatively, by L2 or other means, the UE determines that UMTS cannot be sustained and starts scanning for other RATs.

In step 3, the UE transmits an SAE measurement report including TAI, selected UIA and UEA, optionally START value and / or ENB ID to the SGSN.
The SGSN then decides to hand over the UE to the SAE network. Using TAI, the SGSN becomes aware of the MME address in step 4 and uses the S3 or S4 interface, connects to the HSS, or connects to the MME through other methods.

  In step 5, the SGSN transmits a HO request message to the MME / UPE. The HO request message includes the security context, previous RAT type, unused AV, latest CK and IK, and optionally ENB-ID, START value, KSI and other parameters.

  In step 6, the MME checks the HSS for whether or not the MME is registered with the HSS, otherwise the MME performs a soft registration. The MME generates a key using the CK and IK transmitted by the SGSN. The MME translates UMTS parameters into SAE specific parameters using logical interworking units that can be located in the MME or AAA server, or co-located in the network entity of the SAE system or I-WLAN system. . The function of the interworking unit converts the RAN and CN container / protocol / parameters of one access system into another.

  In step 7, the MME generates a FRESH and sends the ENB key for RAN protection, the selected UIA and UEA, the security context including the FRESH, START, KSI, and other parameters to the ENB using the ENB-ID. Distribute.

In step 8, the MME transmits a HO acknowledgment to the SGSN. The HO acknowledgment message includes the selected UEA and UIA, optionally FRESH.
In step 9, the SGSN transmits the parameters received through the HO acknowledgment message to the UE through the HO command message.
After receiving a HO command from the SGSN for handover to the SAE network, the UE generates a key specific to the SAE system using the latest CK and IK in step 10 and starts RAN protection.

In step 11, the UE initiates an L2 connection with the ENB. The UE selectively initiates protection of the RRC message. During the initial message to the ENB, the UE communicates the START value and calculates the MAC-I _RAN using the generated SAE specific key, optionally the FRESH and START values. The ENB then verifies the MAC-I _RAN using the security context received in step 8 along with the START value.

In step 12, the UE transmits an initial L3 message to the MME / UPE. The initial L3 message includes user identification, START value, and MAC-I _NAS . This MAC-I _NAS is calculated using the generated SAE specific key and optionally the FRESH and START values.

In step 13, the MME / UPE verifies MAC-I using the generated key, the received START, and optionally the FRESH value.
In step 14, the MME / UPE transmits an initial L3 message response. The MME calculates the MAC-I _NAS through the initial L3 message response.

Forward handover from UMTS to SAE system:
During the TAU procedure or initial NAS message, the UE transmits the details of the previous access system, and the core network can retrieve the security context (CK and IK) and buffered packets from the previous access system.

FIG. 9 illustrates a reverse handover from an SAE to a UMTS system according to the present invention.
Referring to FIG. 9, in step 1, the UE transmits periodic or event-based measurements to the ENB / MME.

  Based on the measurement report, the ENB / MME asks the UE to start scanning for other RATs in step 2, or the ENB / MME scans for a specific RAT available to the neighboring RAT or its service area. To the UE. Alternatively, by L2 or other means, the UE determines that EUTRAN cannot be sustained and starts scanning for other RATs.

In step 3, the UE transmits a UMTS measurement report including RAI, supported UIA and UEA, KSI and START values and cell ID to the ENB / MME.
The SGSN then decides to hand over the UE to the UMTS network in step 4. Using RAI, the MME knows the SGSN address, uses the S3 or S4 interface, connects to the HSS, or connects to the SGSM through a known method.

  In step 5, the MME transmits a HO request message to the SGSN. The HO request message includes the security context, previous RAT type, unused AV, latest CK and IK, and optionally cell ID, START value, KSI and other parameters. The MME is deployed in the MME or SGSN, or as a separate network entity, or the SAME parameters are UMTS using a logical interworking unit that can be deployed simultaneously in the network entity of the SAE or UMTS system. Convert to unique parameters. The function of the interworking unit converts the RAN and CN container / protocol / parameter of the first access system to the second access system.

  In step 6, the SGSN checks the HSS as to whether the SGSN is registered in the HSS, otherwise performs soft registration.

  In step 7, the SGSN generates FRESH and uses the cell ID to transmit the security context including the key for protection, the selected UIA and UEA, FRESH, START, KSI and other parameters to the RNC. The RNC stores the received parameters.

In step 8, the SGSN transmits the HO approval to the MME. The HO acknowledgment message includes the selected UEA and UIA, and optionally FRESH.
In step 9, the MME communicates the parameters received through the HO acknowledgment message to the UE through the HO command message.

After receiving a HO command from the MME for handover to the UMTS network, the UE selectively initiates RAN protection using the latest CK and IK for the UMTS network in step 10.
In step 11, the UE initiates an L2 connection with the RNC. The UE selectively starts protecting the RRC message. During the initial message to the RNC, the UE transmits a START value.

In step 12, the UE transmits an initial L3 message to the SGSN. The initial L3 message includes user identification, START value, KSI and MAC-I.
The RNC verifies the MAC-I at step 13 and transmits it to the SGSN at step 14.

Forward handover from SAE to UMTS system:
During the RAU procedure or the first NAS message, the UE may transmit the details of the last / previous access system and the core network may retrieve the buffered packets with the security context (CK and IK) from the previous access system. it can.

FIG. 10 shows a reverse handover (scenario 2 access) from a UMTS to an I-WLAN access system according to the present invention.
Referring to FIG. 10, in step 1, the UE transmits periodic or event-based measurements to the UTRAN network.

  If the RNC / SGSN finds that the UE measurement is below the threshold or if the SGSN determines that it cannot sustain the EUTRAN in any way, it requests the UE to start scanning other RATs in step 2 Alternatively, the UE can be requested to scan for a neighboring RAT or a specific RAT available within its service area. Also, by L2 or other means, the UE determines that UTRAN cannot be sustained and starts scanning for another RAT.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SGSN. The SGSN then decides to hand over the UE to the I-WLAN network.

  Using the NAI, the SGSN analyzes the I-WLAN AAA server IP address in step 4 and connects to the AAA server through a logical interworking unit. This logical interworking unit is located in the SGSN or AAA server or as a separate network entity. Alternatively, they can be co-located within the network entity of a UMTS system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of the first access system to the second access system.

  In step 5, the SGSN transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters.

  The AAA checks the HSS as to whether another AAA has been registered with the HSS, and if not, the AAA performs soft registration at step 6. AAA generates a key (MSK, TEK and EMSK) and a Temp ID (anonymous ID and fast re-authentication ID) using NAI, CK and IK. The AAA server protects (encrypts) the Temp ID using the generated TEK and transmits it to the UE.

In step 7, the AAA server transmits the HO approval to the SGSN through the interworking unit. The HO approval message includes a protected Temp ID and an indication of whether scenario 2 and scenario 3 authentication has been requested.
In step 8, the SGSN transmits the parameters received through the HO acknowledgment message to the UE as a HO command message.

  After receiving the HO command from the UMTS system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decrypt Temp ID (anonymous ID or fast re-authentication ID).

In step 10, the UE initiates an L2 connection with the I-WLAN AS.
When the I-WLAN system requests authentication, the WLAN-AN may perform step 11a. 1 starts the authentication procedure.

  Then, the UE performs step 11a. 2, transmit Temp ID (fast re-authentication ID) when received through HO command. The UE transmits the EAP response identification including the Temp ID (anonymous ID or fast re-authentication ID) and the integrity protection of the EAP response identification message to the AAA server through the I-WLAN AN.

  When the AAA server receives the EAP response identification message with the Temp ID, the AAA knows that the UE has performed HO preparation. The AAA server executes step 11a. 3. Verify integrity protection and Temp ID. Therefore, the AAA authenticates the UE. The AAA server optionally sends a MAC protected message EAP request / AKA notification prior to the EAP success message if the AAA server was previously requested to use the protected success indication. be able to. The AAA server generates a new Temp ID and transmits it to the UE together with the EAP request / AKA notification message. The WLAN AN communicates an EAP request / AKA notification message to the UE. The UE transmits an EAP response / AKA notification. The WLAN AN transmits an EAP response / AKA notification message to the AAA server, and the AAA server ignores the contents of these messages.

  The AAA server executes step 11a. 4, transmit an EAP success message to the WLAN AN. When some extra keying elements are generated for WLAN technology specific confidentiality and / or integrity protection, the AAA server includes this keying element in the basic AAA protocol message (ie, not at the EAP level). The I-WLAN AN stores keying elements used for communication with authenticated WLAN-UEs. If the AAA server is not using a protected successful result indication, the AAA server generates a new Temp ID and transmits it to the UE along with the EAP success message.

  The I-WLAN AN performs step 11a. 5. Inform the WLAN-UE with an EAP success message regarding successful authentication. At this time, the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN AN share the keying elements generated during this exchange.

  Alternatively, in step 11b, the UE initiates a fast re-authentication procedure with the I-WLAN network. If the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to start the overall authentication procedure.

FIG. 11 illustrates a reverse handover (scenario 2 and scenario 3 access) from a UMTS to an I-WLAN access system according to the present invention.
Referring to FIG. 11, in step 1, the UE transmits periodic or event-based measurements to the EUTRAN network.

  If the RNC / SGSN finds that the UE measurement is below the threshold, or if the SGSN determines that it cannot sustain EUTRAN in any way, it may request the UE to start scanning other RATs or it may Alternatively, the UE can be requested to scan for specific RATs available within its service area. Also, by L2 or other means, the UE determines that UTRAN cannot be sustained and starts scanning for another RAT.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SGSN. The SGSN then decides to hand over the UE to the I-WLAN network.

  Using the NAI, the SGSN analyzes the I-WLAN AAA server IP address in step 4 and connects to the AAA server through a logical interworking unit. This logical interworking unit can be located in the SGSN or AAA server, in a separate network entity, or simultaneously in the network entity of the UMTS system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of one access system to another access system.

  In step 5, the SGSN transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters.

  The AAA checks the HSS as to whether other AAAs are registered with the HSS, and if not, the AAA performs soft registration. AAA generates keys (MSK, TEK and EMSK) using NAI, CK and IK. Also, the AAA server generates a Temp ID (anonymous ID and fast re-authentication ID), protects (encrypts) the Temp ID using the generated TEK, and transmits it to the UE.

  The AAA server transmits the HO approval to the SGSN through the interworking unit in step 7. The HO approval message includes a protected Temp ID and an indication of whether scenario 2 and scenario 3 authentication has been requested. The AAA server also includes in the HO approval an optimization procedure that is supported for UEs that perform scenario 2 and scenario 3 in succession.

In step 8, the SGSN transmits the parameters received through the HO acknowledgment message to the UE as a HO command message.
After receiving the HO command from the UMTS system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decodes the Temp ID.

In step 10, the UE initiates an L2 connection with the I-WLAN AS.
When the I-WLAN system requests authentication, the WLAN-AN may perform step 11a. 1 starts the authentication procedure.

  Then, the UE performs step 11a. 2, transmit Temp ID (fast re-authentication ID) when received through HO command. The UE transmits the EAP response identification including the Temp ID (anonymous ID or fast re-authentication ID) and the integrity protection of the EAP response identification message to the AAA server through the I-WLAN AN.

  When the AAA server receives the EAP response identification message with the Temp ID, the AAA knows that the UE has performed HO preparation. The AAA server executes step 11a. 3. Verify integrity protection and Temp ID. Therefore, the AAA authenticates the UE. Optionally, if the AAA server was previously requested to use a protected success indication, a MAC protected message EAP request / AKA notification may be sent prior to the EAP success message. The AAA server generates a new Temp ID and transmits it to the UE together with the EAP request / AKA notification message. The WLAN AN communicates an EAP request / AKA notification message to the UE. The UE transmits an EAP response / AKA notification. The WLAN AN transmits an EAP response / AKA notification message to the AAA server, and the AAA server ignores the contents of these messages.

  The AAA server executes step 11a. 4, transmit an EAP success message to the WLAN AN. When some extra keying elements are generated for WLAN technology specific confidentiality and / or integrity protection, the AAA server includes this keying element in the basic AAA protocol message (ie, not at the EAP level). The I-WLAN AN stores keying elements used for communication with authenticated WLAN-UEs. If the AAA server is not using a protected successful result indication, the AAA server generates a new Temp ID and transmits it to the UE along with the EAP success message.

  The I-WLAN AN performs step 11a. 5. Inform the WLAN-UE with an EAP success message regarding successful authentication. At this time, the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN AN share the keying elements generated during this exchange.

  Also, in step 11b, the UE starts a fast re-authentication procedure with the I-WLAN network. If the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to start the overall authentication procedure.

After a successful scenario 2 authentication procedure, the UE starts an optimized authentication procedure for scenario 3 listed by the AAA server in the HO order in step 12a. The UE can initiate the scenario 3 authentication procedure using an EMSK based optimization procedure.
The UE can also initiate a fast re-authentication procedure for the scenario 3 authentication procedure in step 12b.

FIG. 12 shows a reverse handover (scenario 3 access) from a UMTS to an I-WLAN access system according to the present invention.
Referring to FIG. 12, in step 1, the UE transmits periodic or event-based measurements to the UTRAN network.

  If the RNC / SGSN finds that the UE measurement is below the threshold or if the SGSN determines that it cannot sustain the EUTRAN in any way, it requests the UE to start scanning other RATs in step 2 Alternatively, the UE can be requested to scan for a neighboring RAT or a specific RAT available within its service area. Also, by L2 or other means, the UE determines that UTRAN cannot be sustained and starts scanning for another RAT.

  In step 3, the UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI along with other parameters to the SGSN. The SGSN then decides to hand over the UE to the I-WLAN network.

  Using the NAI, the SGSN analyzes the I-WLAN AAA server IP address in step 4 and connects to the AAA server through a logical interworking unit. This logical interworking unit can be located in the SGSN or AAA server, in a separate network entity, or simultaneously in the network entity of the UMTS system or I-WLAN system. The function of the interworking unit is to convert the RAN and CN container / protocol / parameter of one access system to another access system.

  In step 5, the SGSN transmits a HO request to the AAA server through the interworking unit. The HO request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters.

  In step 6, the AAA checks the HSS as to whether another AAA has registered with the HSS, and if not, performs the soft registration. The AAA generates / derives keys (MSK, TEK and EMSK) using NAI, CK and IK. Also, the AAA server generates a Temp ID (anonymous ID and fast re-authentication ID), protects (encrypts) the Temp ID using the generated TEK, and transmits it to the UE.

  The AAA server transmits the HO approval to the SGSN through the interworking unit in step 7. The HO approval message includes a protected Temp ID (anonymous ID and fast re-authentication ID) and an indication of whether scenario 2 and scenario 3 authentication has been requested. The AAA server also includes in the HO approval an optimization procedure that is supported for UEs that perform scenario 2 and scenario 3 in succession.

In step 8, the SGSN transmits the parameters received through the HO acknowledgment message to the UE as a HO command message.
After receiving the HO command from the UMTS system for handover to the I-WLAN network, the UE generates a key (MSK, TEK and EMSK) using the latest CK and IK and protected in step 9 Decodes Temp (anonymous ID and fast re-authentication ID) ID.

In step 10, the UE initiates an L2 connection with the I-WLAN AS.
After successful connection with the I-WLAN AN, the UE starts an optimized authentication procedure for scenario 3 listed by the AAA server in the HO order in step 11a. The UE can initiate the scenario 3 authentication procedure using an EMSK based optimization procedure.
The UE can optionally initiate a fast re-authentication procedure for the scenario 3 authentication procedure in step 11b.

Forward handover from SAE system to I-WLAN AS:
During the authentication procedure, the UE transmits details of the previous access system, so that the core network can retrieve the security context and buffered packets from the previous access system. Details of the recent access system can be transmitted in the EAPOL ID response message.

  During the scenario 2 authentication procedure, when the UE and the network generate a key using CK and IK, the core network generates a Temp ID and communicates it to the UE. The UE can initiate a fast re-authentication procedure for scenario 3 access.

  The UE transmits the sequence number of the last successfully received packet to the I-WLAN network. The I-WLAN network can communicate this sequence number to the core network. The core network then begins to transmit packets after the sequence number that was last successfully received by the UE.

Reverse handover from I-WLAN to UMTS access system:
The UE and network can selectively use the latest CK and IK. This UE initiates the RRC connection procedure and the SMC procedure without AKA authentication.
Also, the SMC procedure can be performed in the HO preparation stage.
With the HO command, the network transmits the supported algorithm, and the UE selects the algorithm and begins initial message protection.

Forward handover from I-WLAN to UMTS access system:
During the RAU procedure, the UE transmits the details of the previous access system through the RAU message, and the core network can retrieve the security context (CK and IK) and buffered packets from the previous access system.

Key generation for SAE systems-Alternative 1: as shown in FIG.
As shown in FIG. 13, 9AV is generated by UE and HSS. Functions f6, f7, f8, and f9 are new key derivation functions for the LTE / SAE system. When the MME requests n 9AVs, the HSS transmits the AV to the MME in order to authenticate and secure the communication of the UE capable of LTE / SAE.

  The security context transmission from the LTE / SAE to another RAT is expressed as the following <Formula 1> or <Formula 2>.

  Or

Here, CK represents a cipher key, and IK represents an integrity key or an AV key from the HSS.
The security context transmission from other RATs to LTE / SAE is shown as <Formula 3>.

Here, CK represents an encryption key, and IK represents an integrity key.
The above key is derived at the UE and MME.
When MME and UPE are combined, functions F8 and F9 are not provided, and CK _NAS and IK _NAS are used for NAS signal protection and user plane protection.
Security context transmission from LTE / SAE to other RATs is shown as <Formula 4>.

Here, CK and IK are identified in advance.
The security context transmission from another RAT to LTE / SAE is as shown in the following <Formula 5>.

  Here, prf represents a pseudo random function, and CK, IK, and UE are identified in advance.

Key derivation for SAE systems-Alternative 2:
In this alternative, the LTE / SAE system uses UMTS AV as shown in FIG. 14, and derives another key as shown in <Formula 6> shown below.

CK _NAS and IK _NAS common to all MMEs, CK _UP and IK _UP common to all UPEs (User Plane Entity), and CK _RAN and IK _RAN common to all ENBs is there.
When MME and UPE are combined, functions F8 and F9 are not provided and CK _NAS and IK _NAS are used for NAS signal protection and user plane protection.

Here, each of these parameters is identified in advance.
The UE identification is NAI format when EAP-AKA is used, and IMSI or TMSI when UMTS-AKA based authentication is performed.
Also, UE identification can be associated with serving node identification.
There is a common CK _NAS and IK _NAS for all MMEs in the same operator domain and a common CK _RAN and IK _RAN for all ENBs.

Key derivation for SAE systems-Alternative 3
In this alternative, the LTE / SAE system uses UMTS AV as shown in FIG. 14 and derives other keys as shown in equations 8-13.

In the above formula, prf represents a pseudo-random function, UE represents a user equipment (User Equipment), ID represents an identifier (Identifier), and MME represents a mobility management entity (Mobility Management Entity).
The unique key is derived for the network entity.

  Other control methods and devices can be derived from various combinations of the methods and devices of the present invention as shown in the above description and accompanying drawings, and those skilled in the art are within the scope of the present invention. It is self-evident. It should be noted that the host for storing the application includes, but is not limited to, a microchip, a microprocessor, a handheld communication device, a computer, a rendering device or a multifunction device. is there.

  As described above, the specific embodiments have been described in the detailed description of the present invention. However, it is understood by those skilled in the art that various modifications can be made without departing from the scope of the claims. Is obvious. Therefore, the scope of the present invention should not be limited to the above-described embodiments, but should be determined based on the description of the scope of claims and equivalents thereof.

FIG. 2 is a diagram illustrating a conventional logical upper hierarchy for an evolved system. It is a figure which shows the conventional I-WLAN system configuration and network elements. FIG. 6 is a diagram illustrating a message flow for backward handover (scenario 2 access) from an SAE to an I-WLAN access system according to the present invention. FIG. 6 is a diagram illustrating a message flow for backward handover (scenario 2 and scenario 3 access) from the SAE to the I-WLAN access system according to the present invention. FIG. 6 is a diagram illustrating a message flow for backward handover (scenario 3 access) from the SAE to the I-WLAN access system according to the present invention. FIG. 6 is a diagram illustrating a message flow for reverse handover from I-WLAN to LTE according to the present invention (alternative 1). FIG. 6 is a diagram illustrating a message flow for reverse handover from I-WLAN to LTE according to the present invention (alternative 2). FIG. 4 is a diagram illustrating a message flow for reverse handover from a UMTS system to an LTE system according to the present invention. FIG. 4 shows a message flow for a reverse handover from an LTE system to a UMTS system according to the present invention. FIG. 6 is a diagram illustrating a message flow for reverse handover (scenario 2 access) from a UMTS system to an I-WLAN access system according to the present invention. FIG. 6 shows a message flow for reverse handover (scenario 2 and scenario 3 access) from a UMTS system to an I-WLAN access system according to the present invention. FIG. 6 is a diagram illustrating a message flow for reverse handover (scenario 3 access) from a UMTS to an I-WLAN access system according to the present invention. FIG. 6 shows a key derivation (alternative 1) for an evolved system according to the invention. FIG. 6 shows a key derivation (alternative 1) for an evolved system according to the invention.

Explanation of symbols

  1, 2a, 2b, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11a.1, 11a.2, 11a.3, 11a.4, 11a.5, 11b, 12, 12a, 12b, 13, 14, 15, 16, 17; step

Claims (24)

A method for optimizing an authentication procedure at the time of handover between access systems in a heterogeneous network,
Deriving a new key to access the new system;
Optimizing the authentication procedure using the existing system access key at the time of handover from the existing system to the new system;
Receiving a temporary ID (Identification) by the UE for accessing the new system at the time of handover preparation and enabling the UE to perform fast re-authentication in the new system;
A method characterized by comprising: The optimization of the authentication procedure is
Forward handover from I-WLAN (Integrated Wireless Local Area Network access system) to SAE (System Architecture Evolution access system) and reverse handover from SAE to I-WLAN;
Forward handover from UMTS (Universal Mobile Telecommunication System) to SAE and backward handover from SAE to UMTS;
The method of claim 1, wherein the UE handover is related to at least one of a forward handover from I-WLAN to UMTS and a reverse handover from UMTS to I-WLAN. Method. The reverse handover from the SAE access system to the I-WLAN is
Transmitting periodic or event-based measurements to the EUTRAN (Enhanced UMTS Terrestrial Radio Access Network) by the UE;
Determining that the UE measurement value transmitted is below a threshold by ENB (Evolving Node B) / MME (Mobility Management Entity), or determining that EUTRAN cannot be sustained by MME;
The ENB / MME requests the UE to scan for other RATs (Radio Access Technology) or RATs available in the service area of the UE, or determines that the EUTRAN cannot be sustained by the UE and determines other RATs. Scanning, and
The UE transmits an I-WLAN measurement report including the I-WLAN ID and NAI (Network Access Identifier) to the SAE system together with other parameters, and the UE is connected to the IE by the ENB / MME or ENB / MME and the logical interworking unit. -Deciding to hand over to the WLAN network;
The MME uses the NAI to analyze an AAA (Authentication, Authorization, and Accounting) server IP address of the I-WLAN, and connects to the AAA server through a logical interworking unit, and the logical interworking unit is MME, AAA. A step located in one of the server or network entities of the SAE system or the I-WLAN system;
The MME transmits a handover request to the AAA server through the interworking unit, and the handover request includes NAI, I-WLAN ID, unused AV (Authentication Vector), latest CK (Cypher Key), and IK (Integrity Key). ) And other parameters,
The AAA server confirms HSS (Home Subscription Server) so as to determine whether another AAA is registered or not. If not, software registration is performed by the AAA server. And MS to generate MSK, TEK, and EMSK keys, generate a temporary ID including a pseudonym ID and a fast re-authentication ID, protect the temporary ID using the TEK, and transmit to the UE When,
Transmitting a handover approval message to the MME through the interworking unit by the AAA server, the handover approval message including a protected temporary ID and an indication indicating whether authentication is required;
Transmitting, by the MME, a handover command message including the received parameter to the UE through a handover acknowledge message;
After the UE receives a handover command from the SAE system for handover to the I-WLAN network, it generates MSK, TEK and EMSK keys using the CK and IK and decrypts the protected temporary ID Steps,
Starting a L2 (Layer 2) connection with the I-WLAN by the UE;
The method of claim 2, comprising: When the I-WLAN system requests authentication, starting an authentication procedure with the I-WLAN;
Transmitting a fast re-authentication temporary ID by the UE when the UE receives a handover command;
Transmitting an EAP response identification message to the AAA server through the I-WLAN together with one of the temporary protection ID, temporary fast re-authentication ID, and EAP (Extensible Authentication Protocol) response identification message integrity protection by the UE; ,
The AAA authenticates the UE by receiving an EAP response identification message along with the temporary ID by the AAA server and verifying integrity protection and the temporary ID;
If the AAA server has previously requested to use a protected successful result indication, it transmits an EAP request / AKA notification message before transmitting an EAP success message, and the EAP request / AKA notification message is MAC (Medium Access Control) protected, the AAA server generates a new temporary ID and the EAP request / AKA notification message and transmits to the UE;
The EAP request / AKA notification message is transmitted to the UE by the I-WLAN, the UE transmits the EAP response / AKA notification and transmits the EAP response / AKA notification message to the AAA server, and the AAA server considers the content of the message. Don't step and
When the AAA server transmits an EAP success message to the I-WLAN and an additional keying element is generated for the I-WLAN, the I-WLAN uses the keying element used for communication with the authenticated WLAN-UE. Storing, and
If the AAA server does not utilize the protected successful result indication, generating a new temporary ID and transmitting it to the UE along with the EAP success message;
The I-WLAN informs the WLAN-UE about successful authentication through an EAP success message, the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN share the keying elements derived during the EAP AKA exchange And steps to
Initiating a fast re-authentication procedure with the I-WLAN network by the UE, and if the UE does not receive the fast re-authentication ID, the UE transmits an anonymous ID to initiate the overall authentication procedure;
The method of claim 3, further comprising: The reverse handover from the SAE access system to the I-WLAN is
Transmitting periodic or event-based measurements to the EUTRAN by the UE;
Determining by the ENB / MME that the transmitted UE measurement is below a threshold or determining by the MME that EUTRAN cannot be sustained;
Requesting the UE to scan other RATs or RATs available in the service area of the UE by the ENB / MME, or determining that the EUTRAN cannot be sustained by the UE and scanning the other RATs;
Determining by the UE to transmit an I-WLAN measurement report including at least an I-WLAN ID and NAI to the SAE system and handing over the UE to the I-WLAN network by the ENB / MME;
The MME uses the NAI to analyze the AAA server IP address of the I-WLAN and connects to the AAA server through a logical interworking unit, and the logical interworking unit can be an MME, AAA server, or SAE system or I- A step located in one of the network entities of the WLAN system;
Transmitting a handover request to the AAA server through the interworking unit by the MME, wherein the handover request includes NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters;
The HSS is checked by the AAA server to determine whether another AAA has been registered. Otherwise, the AAA server performs soft registration, and the AAA uses the NAI, CK, and IK. Generating MSK, TEK, and EMSK keys, generating a temporary ID including an anonymous ID and a fast re-authentication ID, protecting the temporary ID using the TEK, and transmitting to the UE;
Transmitting a handover approval message to the MME through the interworking unit by the AAA server, the handover approval message including a protected temporary ID and an indication indicating whether authentication is required;
Transmitting, by the MME, a handover command message including the received parameter to the UE through a handover acknowledge message;
After the UE receives a handover command from the SAE system for handover to the I-WLAN network, the UE generates MSK, TEK and EMSK keys using the CK and IK, and decrypts the protected temporary ID. And steps to
Initiating an L2 connection with the I-WLAN by the UE;
The method of claim 1, comprising: When the I-WLAN system requests authentication, starting an authentication procedure with the I-WLAN;
Transmitting a fast re-authentication temporary ID by the UE when the UE receives a handover command;
The UE transmits an EAP response identification message to the AAA server through the I-WLAN together with one of the temporary anonymous ID, the temporary fast re-authentication ID, and the integrity protection of the EAP (Extensible Authentication Protocol) response identification message. When,
The AAA server authenticates the UE by receiving an EAP response identification message along with the temporary ID and verifying integrity protection and the temporary ID by the AAA server;
If the AAA server requests in advance to use the protected successful result display, the EAP request / AKA notification message is transmitted before the EAP success message is transmitted, and the EAP request / AKA notification message is transmitted. MAC protected, the AAA server generates a new temporary ID and the EAP request / AKA notification message and transmits to the UE;
The EAP request / AKA notification message is transmitted to the UE by the I-WLAN, the UE transmits the EAP response / AKA notification and transmits the EAP response / AKA notification message to the AAA server, and the AAA server transmits the content of the message. Steps not to consider,
When the AAA server transmits an EAP success message to the I-WLAN and an additional keying element is generated for the I-WLAN, the I-WLAN is used for communication with the authenticated WLAN-UE. A step of storing
If the AAA server does not utilize a protected successful result indication, a new temporary ID is generated by the AAA server and transmitted to the UE along with an EAP success message;
The I-WLAN informs the WLAN-UE about the successful authentication through an EAP success message, and the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN have the keying elements derived during the EAP AKA exchange. Sharing steps,
Initiating a fast re-authentication procedure by the UE with the I-WLAN network, and if the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to initiate the overall authentication procedure;
The UE initiates an optimized authentication procedure listed by the AAA server in the HO command after a successful authentication procedure, and the UE uses the EMSK (Extended Master Session Key) based optimization procedure to perform the optimization. Initiating an authentication procedure, and
6. The method of claim 5, wherein the UE selectively initiates a fast re-authentication procedure for the optimized authentication procedure. After successful connection with the I-WLAN, the UE initiates an optimized authentication procedure listed by the AAA server in the HO command, which uses an EMSK (Extended Master Session Key) based optimization procedure. Initiating the optimized authentication procedure
The method of claim 5, wherein the UE selectively initiates a fast re-authentication procedure for the optimized authentication procedure. Forward handover from SAE to I-WLAN AS is
During the authentication procedure, the UE transmits details of the existing access system that is currently the previous access system, retrieves the security context and the buffered context from the previous access system by the core network, and details the previous access system Is transmitted in the EAPOL ID response message;
During the authentication procedure, the UE and the network derive a plurality of keys using CK and IK, the core network generates a temporary ID and transmits it to the UE, and the UE starts a fast re-authentication procedure;
The most recently successfully received packet sequence number by the UE is transmitted to the I-WLAN network, the I-WLAN network transmits the packet to the core network, and the core network is finally successfully transmitted by the UE. Starting to transmit packets after the received sequence number;
The method of claim 2, comprising: Reverse handover from I-WLAN to SAE system is
Periodically or event by logical decision and interworking unit placed in one of network entities of MME, AAA server and SAE system or I-WLAN system by UE, or individually Transmitting a base measurement value;
When the logical decision and interworking unit learns that the UE measurement is below a threshold value or that the I-WLAN cannot be sustained, the logical decision and interworking unit allows other RATs to be Request UE to start scanning, or request by ENB / MME to scan UE for specific RATs available in its service area, or determine that I-WLAN cannot be sustained by UE Starting scanning of other RATs;
Transmitting a SAE measurement report including TAI, selected UIA and UEA, ENB-ID and START value by said UE to the logical decision and interworking unit through AAA server;
The logical decision and interworking unit decides to hand over the UE to the SAE network and informs the AAA server of the decision;
Using the TAI, the AAA server connects to the HSS to know the MME address;
The AAA server transmits a handover request message to an MME / UPE (User Plane Entity), and the handover request message includes at least the previous RAT type, the unused AV, the latest CK and IK, and the ENB-ID. Steps,
Checking the HSS as to whether another AAA has been registered by the MME, and if not, performing a soft registration to generate a key;
Transmitting a handover approval message to the AAA server through the interworking unit by the MME, the MME including the selected UEA and UIA, FRESH, and determining whether to start the last RAN protection;
Transmitting parameters received by the AAA server through a handover acknowledgment message to the UE through a handover command message;
After receiving a handover command from an AAA server for handover to the SAE network, the UE derives a key specific to the SAE system using the latest CK and IK;
The UE initiates an L2 connection with the ENB without any protection;
The UE transmits an initial L3 message to the MME / UPE, the initial L3 message includes user identification, START value and MAC-I _NAS , MAC-I _NAS is derived SAE specific key, and FRESH and START value A step calculated using
Verifying MAC-I using the key derived by the MME / UPE, the received START and FRESH values;
The MME / UPE transmits an initial L3 message response including keys for ENB, START, FRESH and UEA and UIA, and an initial L3 message excluding the keys for ENB, START, and optionally FRESH and UEA and UIA. Calculating a MAC-I _NAS through the response;
Receiving an initial L3 message response by the MME and storing keys for START, FRESH, UEA and UIA;
With the ENB, an initial L3 message transmits a response to the UE and initiates RAN security (MAC-I _RAN );
Verifying MAC-I _NAS and MAC-I _RAN by the UE;
The method of claim 2, comprising: Reverse handover from I-WLAN to SAE system (alternative 2)
Periodically or event by logical decision and interworking unit placed in one of network entities of MME, AAA server and SAE system or I-WLAN system by UE, or individually Transmitting a base measurement value;
When the logical decision and interworking unit knows that the UE measurement is below a threshold value or that the I-WLAN cannot be sustained, the logical decision and interworking unit gives the UE another Request that the RAT start to scan, or by ENB / MME, request the UE to scan for a specific RAT available in its service area, or determine that the UE cannot sustain I-WLAN Starting scanning of other RATs,
Transmitting a SAE measurement report including TAI, selected UIA and UEA, ENB-ID and START value by said UE to the logical decision and interworking unit through AAA server;
The logical decision and interworking unit decides to hand over the UE to the SAE network and informs the AAA server of the decision;
Using the TAI, the AAA server connects to the HSS to know the MME address;
Transmitting a handover request message to the MME / UPE by the AAA server, wherein the handover request message includes at least a previous RAT type, an unused AV, the latest CK and IK, and an ENB-ID;
Checking the HSS as to whether another AAA has been registered by the MME; otherwise, performing a soft registration and generating a key using the CK and IK transmitted by the AAA server;
Generating a FRESH by the MME and distributing the security context to the ENB using the ENB-ID;
Transmitting a handover approval message by the MME to an AAA server through an interworking unit, the handover approval message including an indication for the initiation of the selected UEA and UIA, FRESH and RAN protection;
The AAA server transmits the parameter received through a handover acknowledge message to the UE through a handover command message;
Determining the key specific to the SAE system using the latest CK and IK by the UE, and starting RAN protection after receiving a handover command from the AAA server to hand over the UE to the SAE network; ,
The UE initiates an L2 connection with the ENB, protects the RRC message, and in the initial message to the ENB, the UE transmits the START value and uses the derived SAE-specific key, FRESH and START value to Calculating I _RAN and ENB verifying MAC-I _RAN ;
The UE transmits an initial L3 message to the MME / UPE, and the initial L3 message includes a user identification, a START value and a MAC-I _NAS , and the MAC-I _NAS includes a derived SAE-specific key, and a FRESH and START value. Steps calculated using:
Verifying MAC-I by the MME / UPE using the derived key, the received START and FRESH values;
Transmitting an initial L3 message response by the MME / UPE, and the MME calculating a MAC-I _NAS through the initial L3 message response;
The method of claim 2, further comprising: Forward handover from I-WLAN to SAE system is
Details of the existing access system in which the UE is currently the previous access system was transmitted in the TAU procedure and buffered by the core network with the security context (CK and IK) from the previous access system in the TAU procedure or initial NAS message The method of claim 2, further comprising searching for a packet. Reverse handover from UMTS to SAE system is
The UE transmits periodic or event-based measurements through a report to a SGSN (Serving GPRS Support Node);
Based on the measurement report, the SGSN requests the UE to start scanning other RATs, and the ENB / MME requests the UE to scan for other RATs or RATs available in the UE's service area. Or determining that EUTRAN cannot be sustained by the UE and scanning other RATs;
Transmitting to the SGSN the SAE measurement report including TAI, selected UIA and UEA, START value and ENB-ID by the UE;
The SGSN decides to hand over the UE to the SAE network, the SGSN uses the TAI to determine the MME address and connects to the MME using at least one of the S3 or S4 interfaces, and the HSS Connecting to
The SGSN transmits a handover request message to the MME / UPE. The handover request message includes at least a security context, a previous RAT type, an unused AV, the latest CK and IK, an ENB-ID, a START value, and a KSI. Including steps;
The MME checks the HSS as to whether another MME is registered with the HSS, and if not, the MME performs a soft registration and generates a key using CK and IK transmitted by the SGSN, The MME converting the UMTS parameters into SAE specific parameters using a logical interworking unit located in one of the network entities of the MME, AAA server, or SAE system or I-WLAN system;
Generating FRESH using ENB-ID to distribute to ENB a security context including ENB keys for at least RAN protection, selected UIA and UEA, FRESH, START and KSI by said MME; and
Transmitting a handover approval message to the SGSN by the MME, wherein the handover approval message includes UEA, UIA and FRESH;
Transmitting the parameters received by the SGSN through a HO acknowledgment message to the UE through a handover command message;
Initiating RAN protection after the UE determines a key specific to the SAE system using the latest CK and IK and receives a handover command from the SGSN to hand over the UE to the SAE network;
The UE initiates an L2 connection with the ENB, protects the RRC message, and in the initial message to the ENB, the UE transmits the START value and uses the derived SAE-specific key, FRESH and START value to a step of verifying _{MAC-I RAN} calculates the I _RAN, using the security text ENB is received with START value,
The UE transmits an initial L3 message to the MME / UPE, where the initial L3 message includes user identification, START value, KSI and MAC-I _NAS , the MAC-I _NAS is derived SAE specific key, and FRESH and A step calculated using the START value;
Verifying the MAC-I _NAS by the MME / UPE using the derived key, the received START and FRESH values;
Transmitting an initial L3 message response by the MME / UPE, and the MME calculating a MAC-I _NAS through the initial L3 message response;
The method of claim 2, further comprising: Forward handover from UMTS to SAE system is
During the TAU procedure or initial NAS message, the UE transmits details of the existing access system that is the previous access system, and the core network retrieves the security context (CK and IK) and buffered packets from the previous access system The method of claim 2, further comprising the step of: Reverse handover from SAE to UMTS system is
Transmitting periodic or event-based measurements by the UE to the ENB / MME through reports;
Use the report to request the UE to start scanning other RATs or RATs available in the service area of the UE by the ENB / MME, or determine that the EUTRAN cannot be sustained by the UE Scanning other RATs,
Transmitting to the ENB / MME a UMTS measurement report including RAI, supported UIA and UEA, KSI and START values, and cell ID by the UE;
By the SGSN, the UE decides to hand over the UE to the UMTS network, and the MME knows the address of the SGSN using the RAI and uses one of the S3 or S4 interfaces or connects to the HSS Connecting to the SGSN;
The MME transmits a handover request message to the SGSN, which includes the security context, the previous RAT type, the unused AV, the latest CK and IK, the cell ID, the START value, the KSI and other parameters. Including, the MME converts the SAE parameters to UMTS specific parameters using a logical interworking unit located in one of the network entities of the MME, SGSN, or SAE system or UMTS system. Steps,
Checking with the SGSN as to whether another SGSN has registered with the HSS, and if not, the SGSN performs soft registration;
The SGSN generates FRESH and distributes the security context including the keys for at least protected, selected UIA and UEA, FRESH, START and KSI to the RNC using the cell ID, and the RNC receives the received parameter A step of storing
Transmitting a handover approval message to the MME by the SGSN, the handover approval message including UEA, UIA and FRESH;
Transmitting, by the MME, parameters received through a handover acknowledge message to the UE through a handover command message;
Initiating RAN protection using the most recent CK and IK for the UMTS network by the UE after receiving a handover command from the MME to handover to the UMTS network;
Initiating an L2 connection with the RNC by the UE, the UE starts protecting the RRC message, and communicating a START value to the RNC during the initial message;
Transmitting by the UE an initial L3 message including user identification, START value, KSI and MAC-I to the SGSN;
Verifying MAC-I by RNC and transmitting to SGSN;
The method of claim 2, further comprising: Forward handover from SAE to UMTS system is
During the RAU procedure or the first NAS message, the UE carries details of the existing access system that is the previous access system, and the current network is buffered with the security context (CK and IK) from the previous access system. The method of claim 2, further comprising the step of searching for. The reverse handover from UMTS to I-WLAN access system is:
Transmitting periodic or event-based measurements to the EUTRAN by the UE;
Determining by the RNC / SGSN that the transmitted UE measurement is below a threshold, or determining by the SGSN that EUTRAN cannot be sustained;
Requesting the UE to scan other RATs or RATs available in the service area of the UE by the ENB / MME, or determining that the EUTRAN cannot be sustained by the UE and scanning the other RATs;
Transmitting, by the UE, an I-WLAN measurement report including an I-WLAN ID and NAI together with other parameters to the SGSN system, and determining by the SGSN to hand over the UE to the I-WLAN network;
The SGSN uses the NAI to analyze the AAA server IP address of the I-WLAN and connects to the AAA server through a logical interworking unit, and the logical interworking unit is an SGSN, AAA server, or UMTS system or I- A step located in one of the network entities of the WLAN system;
Transmitting a handover request by the SGSN to an AAA server through an interworking unit, the handover request including NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters;
The HSS is checked by the AAA server to determine whether another AAA has been registered. Otherwise, the AAA server performs soft registration, and the AAA uses the NAI, CK, and IK. Generating MSK, TEK, and EMSK keys, generating a temporary ID including an anonymous ID and a fast re-authentication ID, protecting the temporary ID using the TEK, and transmitting to the UE;
Transmitting a handover approval message to the SGSN through the interworking unit by the AAA server, the handover approval message including a protected temporary ID and an indication indicating whether authentication is required;
Transmitting a handover command message including the received parameter by the SGSN to the UE through a handover acknowledge message;
After the UE receives a handover command from the UMTS system for handover to the I-WLAN network, the UE generates MSK, TEK and EMSK keys using the CK and IK and decrypts the protected temporary ID And steps to
Initiating an L2 connection with the I-WLAN by the UE;
The method of claim 2, comprising: When the I-WLAN system requests authentication, starting an authentication procedure with the I-WLAN;
Transmitting a fast re-authentication temporary ID by the UE when the UE receives a handover command;
Transmitting an EAP response ID message to the AAA server through the I-WLAN along with one of the temporary anonymous ID, temporary fast re-authentication ID, and integrity protection of the EAP response identification message by the UE;
When the AAA server receives the EAP response identification message along with the temporary identification, the AAA server verifies integrity protection and the temporary ID;
Authenticating the UE with the AAA server;
If the AAA server has previously requested to use a protected successful result indication, it transmits an EAP request / AKA notification message before transmitting an EAP success message, and the EAP request / AKA notification message is MAC protected steps;
The AAA server generates a new temporary ID and an EAP request / AKA notification message and transmits them to the UE;
The EAP request / AKA notification message is transmitted to the UE by the I-WLAN, the UE transmits the EAP response / AKA notification and transmits the EAP response / AKA notification message to the AAA server, and the AAA server transmits the content of the message. Steps not to consider,
When the AAA server transmits an EAP success message to the I-WLAN and an additional keying element is generated for the I-WLAN, the AAA server includes the keying element in the basic AAA protocol message, and the I-WLAN authenticates. Storing a keying element used for communication with the configured WLAN-UE;
If the AAA server does not utilize a protected successful result indication, generating a new temporary ID and transmitting it to the UE along with an EAP success message;
The I-WLAN informs the WLAN-UE about the successful authentication through an EAP success message, and the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN have the keying elements derived during the EAP AKA exchange. Sharing steps,
Initiating a fast re-authentication procedure by the UE with the I-WLAN network, and if the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to initiate the overall authentication procedure;
The method of claim 16, further comprising: The reverse handover from UMTS to I-WLAN access system is:
Transmitting periodic or event-based measurements to the EUTRAN by the UE;
Determining by the RNC / SGSN that the transmitted UE measurement is below a threshold, or determining by the SGSN that EUTRAN cannot be sustained;
Requesting the UE to scan other RATs or RATs available in the service area of the UE by the ENB / MME, or determining that the EUTRAN cannot be sustained by the UE and scanning the other RATs;
Transmitting, by the UE, an I-WLAN measurement report including an I-WLAN ID and NAI together with other parameters to the SGSN system, and determining by the SGSN to hand over the UE to the I-WLAN network;
The SGSN uses the NAI to analyze the AAA server IP address of the I-WLAN and connects to the AAA server through a logical interworking unit, and the logical interworking unit is an SGSN, AAA server, or UMTS system or I- A step located in one of the network entities of the WLAN system;
Transmitting a handover request by the SGSN to an AAA server through an interworking unit, the handover request including NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters;
The HSS is checked by the AAA server to determine whether another AAA has been registered. Otherwise, the AAA server performs soft registration, and the AAA uses the NAI, CK, and IK. Generating MSK, TEK, and EMSK keys, generating a temporary ID including an anonymous ID and a fast re-authentication ID, protecting the temporary ID using the TEK, and transmitting to the UE;
The AAA server transmits a handover approval message to the SGSN through the interworking unit, and the handover approval message includes a protected temporary ID and an indication whether authentication is required, and the AAA server Including an optimization procedure supported for a UE that continuously performs the handover procedure in an acknowledgment message;
Transmitting a handover command message including the received parameter by the SGSN to the UE through a handover acknowledge message;
After the UE receives a handover command from the UMTS system for handover to the I-WLAN network, the UE generates MSK, TEK and EMSK keys using the CK and IK and decrypts the protected temporary ID And steps to
Initiating an L2 connection with the I-WLAN by the UE;
The method of claim 2, comprising: When the I-WLAN system requests authentication, starting an authentication procedure with the I-WLAN;
Transmitting a fast re-authentication temporary ID by the UE when the Temp ID receives a handover command by the UE;
Transmitting an EAP response identification message to the AAA server through the I-WLAN along with one of the temporary anonymous ID, temporary fast re-authentication ID, and integrity protection of the EAP response identification message by the UE;
When the AAA server receives the EAP response identification message along with the temporary ID, the AAA server authenticates the UE by the AAA server by verifying the integrity protection and the temporary ID by the AAA server;
If the AAA server has previously requested to use a protected successful result indication, it transmits a message EAP request / AKA notification message before transmitting an EAP success message, and the EAP request / AKA notification message. Are MAC protected steps;
The AAA server generates a new temporary ID and an EAP request / AKA notification message and transmits them to the UE;
The EAP request / AKA notification message is transmitted to the UE by the I-WLAN, the UE transmits the EAP response / AKA notification and transmits the EAP response / AKA notification message to the AAA server, and the AAA server transmits the content of the message. Steps not to consider,
When the AAA server transmits an EAP success message to the I-WLAN and an additional keying element is generated for the I-WLAN, the AAA server includes the keying element in the basic AAA protocol message, and the I-WLAN authenticates. Storing a keying element used for communication with the configured WLAN-UE;
If the AAA server does not utilize a protected successful result indication, generating a new temporary ID and transmitting it to the UE along with an EAP success message;
The I-WLAN informs the WLAN-UE about the successful authentication through an EAP success message, and the EAP AKA exchange is successfully completed, and the WLAN-UE and I-WLAN are derived keying elements during the EAP AKA exchange. Sharing steps,
Initiating a fast re-authentication procedure by the UE with the I-WLAN network, and if the UE does not receive a fast re-authentication ID, the UE transmits an anonymous ID to initiate the overall authentication procedure;
After a successful authentication procedure, the UE initiates an optimized authentication procedure listed by the AAA server in the handover command, and the UE initiates the optimized authentication procedure using an EMSK based optimization procedure And steps to
Selectively initiating a fast re-authentication procedure for the optimized authentication procedure by the UE;
The method of claim 18 further comprising: The reverse handover from UMTS to I-WLAN access system is:
Transmitting periodic or event-based measurements to the EUTRAN by the UE;
Determining by the RNC / SGSN that the transmitted UE measurement is below a threshold, or determining by the SGSN that EUTRAN cannot be sustained;
Requesting the UE to scan other RATs or RATs available in the service area of the UE by the ENB / MME, or determining that the EUTRAN cannot be sustained by the UE and scanning the other RATs;
Transmitting, by the UE, an I-WLAN measurement report including an I-WLAN ID and NAI together with other parameters to the SGSN system, and determining by the SGSN to hand over the UE to the I-WLAN network;
The SGSN uses the NAI to analyze the AAA server IP address of the I-WLAN and connects to the AAA server through a logical interworking unit, and the logical interworking unit is an SGSN, AAA server, or UMTS system or I- A step located in one of the network entities of the WLAN system;
Transmitting a handover request by the SGSN to an AAA server through an interworking unit, the handover request including NAI, I-WLAN ID, unused AV, latest CK and IK, and other parameters;
The HSS is checked by the AAA server to determine whether another AAA has been registered. Otherwise, the AAA server performs soft registration, and the AAA uses the NAI, CK, and IK. Generating MSK, TEK, and EMSK keys, generating a temporary ID including an anonymous ID and a fast re-authentication ID, protecting the temporary ID using the TEK, and transmitting to the UE;
Transmitting a handover approval message to the SGSN through the interworking unit by the AAA server, the handover approval message including a protected temporary ID and an indication indicating whether authentication is required;
Transmitting a handover command message including the received parameter by the SGSN to the UE through a handover acknowledge message;
After the UE receives a handover command from the UMTS system for handover to the I-WLAN network, the UE generates MSK, TEK and EMSK keys using the CK and IK and decrypts the protected temporary ID And steps to
Initiating an L2 connection with the I-WLAN by the UE;
After the successful connection with the I-WLAN AN by the UE, it initiates an optimized authentication procedure for the scenarios listed by the AAA server in the handover command, and the EMSK based optimization procedure by the UE Initiating the optimized authentication procedure using:
Selectively initiating a fast re-authentication procedure for the optimized authentication procedure by the UE;
The method of claim 2, further comprising: Forward handover from SAE system to I-WLAN is
During the authentication procedure, the UE transmits details of the existing access system that is currently the previous access system, retrieves the security context and the buffered context from the previous access system by the core network, and details the previous access system Is transmitted in the EAPOL ID response message;
The core network generates a temporary ID and transmits it to the UE, the UE initiates a fast re-authentication procedure for authentication optimized during the authentication procedure, and the UE and the network use CK and IK as keys A step of deriving
The most recently successfully received packet sequence number by the UE is transmitted to the I-WLAN network, the I-WLAN network transmits the packet to the core network, and the core network is finally successfully transmitted by the UE. Starting to transmit packets after the received sequence number;
The method of claim 2 comprising: Reverse handover from I-WLAN to UMTS access system is
Using the latest CK and IK by the UE and network, the UE initiates an RRC connection procedure and an SMC procedure without AKAA authentication;
Selectively performing an SMC procedure in a handover preparation phase;
The method of claim 2, further comprising transmitting an algorithm supported by the network, and the UE selects an algorithm to begin protecting the initial message. Forward handover from I-WLAN to UMTS access system is
During the RAU procedure, the UE further transmits the details of the previous access system in the RAU message, and the core network further includes retrieving the security context and buffered packets from the existing and current previous access systems. The method according to claim 2. A system for optimizing an authentication procedure at the time of handover between access systems in a heterogeneous network,
A means of deriving a new key to access the new system;
Means for optimizing the authentication procedure using an existing system access key used with the existing system at the time of handover from the existing system to the new system;
Means for receiving a temporary ID by a user terminal accessing a new system at the time of handover preparation enabling the user terminal to perform fast re-authentication;
A system characterized by including.

Images